CyberWire Daily

Telegram for the throne. [Research Saturday]

Feb 21, 2026
Guest
Tomer Bar
Tomer Bar, VP of Security Research at SafeBreach Labs and lead author of the 'Prince of Persia' report, walks through a decade of Iranian-linked APT activity. He highlights new Foudre and Tonnerre malware variants. He discusses evolving C2 over time, Telegram-based command-and-control, expanded campaign scale, and tactics like fake installers and supply-chain lures.
Ask episode
AI Snips
Chapters
Transcript
Episode notes
INSIGHT

Persistent Iran-Linked Surveillance Campaign

  • Prince of Persia targets surveillance of Iranian dissidents and opposition to gather intelligence over long periods.
  • The group adapts continuously, resurfacing with improved tooling after takedowns.
INSIGHT

C2 Evolution Thwarts Takedowns

  • The group evolved from fixed C2s to domain generation algorithms and C2 verification to resist takedowns.
  • These defenses let the malware refuse impostor servers unless cryptographic checks succeed.
INSIGHT

Staged Recon Then Full Surveillance

  • Attack chains use staged malware: reconnaissance (Foudre) then full surveillance (Tonnerre) when victims prove valuable.
  • Foudre gathers system info and keylogs to decide whether to pull the heavy Tonnerre implant.
Get the Snipd Podcast app to discover more snips from this episode
Get the app